Política de Privacidade
Última revisão: 2026-05-24
1. Who We Are and How to Contact Us
[PLACEHOLDER — LEGAL ENTITY TBD] (trading as "DreamLnds") is the data controller responsible for the processing of your personal data in connection with the DreamLnds platform and its associated applications (Travel Planner, Band Match, Creator Studio, DreamLnds Ads, and future verticals).
[PLACEHOLDER — legal entity razão social, CNPJ, and registered address to be inserted at December 2026 company-ready milestone, once Brazilian legal entity is formally constituted.]
Data Protection Contact (DPO/Privacy channel):
Email: privacy@dreamlnds.com
Postal address: [PLACEHOLDER — legal address, follows legal entity constitution]
You may use this channel to exercise any of your data-subject rights (Section 9) or to ask any question about this Policy. We will respond within 15 days, as required by LGPD Art. 18, §5.
DreamLnds has not appointed a formal DPO — LGPD does not mandate one at current scale. The privacy@dreamlnds.com channel is the designated point of contact for all data-subject rights requests and privacy inquiries.
2. Scope of This Policy
This Privacy Policy applies to:
- The DreamLnds web platform accessible at dreamlnds.com.br (and dev/staging environments for authorized testers).
- All app verticals available through the DreamLnds platform (Travel Planner, Band Match, Creator Studio, DreamLnds Ads, and any verticals launched in the future).
- Any communications sent by DreamLnds (email, push notifications, in-app messages).
It applies regardless of the market or country from which you access DreamLnds. Users in Brazil are protected by the Lei Geral de Proteção de Dados Pessoais (LGPD — Law 13,709/2018). Users in the European Union or European Economic Area are protected by the General Data Protection Regulation (GDPR). Where both frameworks apply, we adopt the stricter of the two requirements.
3. Personal Data We Collect and Why
We collect only what is strictly necessary for the purposes described below (LGPD Art. 6, III — necessity; Art. 6, X — minimization).
3.1 Account and Identity Data
Data collected: Full name, email address, chosen display name, profile photo (optional), date of birth (mandatory — see age verification note below), preferred language.
Why: To create and maintain your account, authenticate your identity, allow other users to find and follow you, and deliver platform features.
Age verification — date of birth: DreamLnds requires users to be 18 years of age or older (see Section 11). We collect your date of birth at signup for the sole purpose of verifying that you meet this minimum age requirement. Date of birth is stored in your account record and is not shared with other users, not used for advertising targeting, and not transferred to third parties beyond the infrastructure processors listed in Section 6.
Legal basis for date of birth (LGPD): Compliance with a legal/regulatory obligation (Art. 7, II) — age-gating is required to comply with LGPD Art. 14 (prohibition on collecting data from minors without parental consent) — combined with legitimate interest (Art. 7, IX) in ensuring the platform's age-appropriate use. Under GDPR where applicable, the equivalent basis is Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interests).
Legal basis for remaining account data (LGPD): Execution of contract / service agreement (Art. 7, V). You cannot use DreamLnds without an account, so this processing is necessary to fulfill the service you requested. Where GDPR applies, the equivalent basis is Art. 6(1)(b) — performance of a contract.
Retention: For as long as your account is active, plus 30 days after account deletion (soft-delete period). After 30 days, personal identifiers — including date of birth — are permanently deleted; anonymized aggregates may be retained indefinitely for statistical purposes.
3.2 Dream Content and Profile Data
Data collected: Dreams you create (title, description, category, photos, status updates, progress entries), privacy settings for each dream (public/private), vertical-specific profile data (music profiles, creator profiles, travel itineraries).
Why: To deliver the core dream-sharing and realization features of the platform, including the Dream Feed, social connections, and vertical-specific tools.
Legal basis (LGPD): Consent (Art. 7, I), freely given and specific to each vertical you join. You may delete any dream content at any time, which constitutes effective consent withdrawal for that content.
Sensitive data note (LGPD Art. 11): Dream categories may, depending on the dreams you choose to share, implicitly reveal data classified as sensitive under LGPD Art. 11 — such as health and medical aspirations, religious beliefs, sexual orientation, or racial/ethnic identity. DreamLnds does not explicitly ask for sensitive data. However, if you voluntarily share a dream that touches these dimensions, we treat the resulting data with heightened care: it is never used for advertising targeting, never shared with third parties beyond the processors listed in Section 6, and is processed exclusively to deliver the dream-sharing feature you requested. We are currently mapping all dream categories against LGPD Art. 11 to identify which warrant an additional, highlighted consent dialog — [FERNANDO DECISION] this mapping must be completed (joint Data + Compliance task — Gate G3 in PIA-DATA-007) before any category is used for automated profiling.
Retention: Until you delete the content or delete your account.
3.3 Social Graph Data
Data collected: Follow relationships (who you follow, who follows you), connection timestamps.
Why: To power the social layer of DreamLnds — friend feeds, mutual connections, community features.
Legal basis (LGPD): Legitimate interest (Art. 7, IX). Running a social platform requires maintaining the graph of connections between users. Follow relationships are minimized (user IDs and timestamp only) and visible to both parties. Our legitimate interest does not override your right to disconnect — unfollowing or deleting your account removes you from others' graphs immediately.
Retention: Until you unfollow or delete your account. Anonymized counts (number of followers at time of deletion) may be retained for statistical purposes.
3.4 Analytics and Usage Data
Data collected: Pages visited, features used, events triggered (e.g., "dream created", "profile viewed"), session duration, device type, browser, operating system. Analytics events are pseudonymized — they use an internal analytics ID, not your name or email.
Why: To understand how DreamLnds is used, identify bugs and friction points, and improve the product.
Legal basis (LGPD): Consent (Art. 7, I). Analytics collection via PostHog is opt-in only and gated behind the cookie/tracking consent banner. You will be asked for this consent separately from account creation. You may withdraw this consent at any time via Settings > Privacy.
Tool used: PostHog (configured with `respect_dnt: true`; Do Not Track signals honored). See Section 6 for PostHog's data-processing role.
Retention: Analytics events are retained for 12 months on a rolling basis, after which they are automatically purged from PostHog. Aggregated, anonymized usage statistics may be retained indefinitely.
3.5 Payment and Subscription Data
Data collected: Stripe customer ID, Stripe subscription ID, subscription status, billing cycle. We do not store card numbers, CVV codes, or full payment card details — these remain exclusively with Stripe.
Note: As of the publication date of this Policy, payment processing is in SANDBOX mode — no real charges are processed. This section describes how data will be handled once real billing is activated. This caveat will be removed at the December 2026 company-ready milestone when live billing is activated.
Why: To manage your subscription, process payments, fulfill entitlements (premium features), and comply with accounting and tax obligations.
Legal basis (LGPD): Execution of contract (Art. 7, V) for subscription management. Legal obligation (Art. 7, II) for financial record-keeping requirements.
Retention: Subscription records: for the duration of the subscription plus 5 years (Brazilian accounting/tax legal requirement — Lei 10,406/2002 and applicable tax law). Stripe's own retention policy applies to payment data held on their side.
3.6 AI Feature Data (OpenAI as Processor)
Data collected: Text content you provide as input to AI-powered features (e.g., AI travel plan generation, Band Match AI matching, AI content suggestions). This may include dream descriptions, profile summaries, or search queries you type into AI-assisted interfaces.
Why: To generate AI-powered recommendations, matches, and content that help you realize your dreams faster.
Legal basis (LGPD): Consent (Art. 7, I) for personalization features; Legitimate interest (Art. 7, IX) for product functionality improvement. For features where AI processing is integral to the service (e.g., Band Match's AI matching), the legal basis is execution of contract (Art. 7, V).
Important — international transfer: Your input data for AI features is processed by OpenAI (United States) acting as a data processor on DreamLnds's behalf. See Section 7 (International Transfers) for the safeguards in place.
Data minimization: Before any content is sent to OpenAI, DreamLnds applies pseudonymization — we send categories, preference codes, and contextual signals rather than your name, email, or direct identifiers. User IDs sent to OpenAI are one-way hashed.
OpenAI's role: OpenAI processes your pseudonymized data solely to generate the AI output you requested. OpenAI does not train its models on data submitted via the API by default, per OpenAI's API data usage policy. OpenAI is a sub-processor bound by the data processing terms in the OpenAI API Terms of Service.
Retention: AI-generated outputs (plans, matches, suggestions) are retained as part of your dream/profile data (see 3.2). Input queries are not retained separately beyond the OpenAI API call.
3.7 Marketing Communications
Data collected: Email address, push notification token (if you opted in to push), communication preferences.
Why: To send you updates about DreamLnds features, tips to realize your dreams, and (if consented) promotional campaigns.
Legal basis (LGPD): Consent (Art. 7, I), opt-in only. Marketing emails are never sent on the basis of legitimate interest. You control this via the unsubscribe link in every marketing email and via Settings > Notifications.
Transactional emails (account confirmation, password reset, billing receipts) are sent under execution of contract (Art. 7, V) and do not require marketing consent.
Retention: Until you withdraw consent (unsubscribe). Unsubscribe records are kept indefinitely to honor your preference and avoid re-contacting you.
3.8 Cookies and Similar Technologies
Essential cookies (always active): Session authentication, CSRF protection, language preference. These are strictly necessary to operate the platform and cannot be disabled without breaking the service. No consent is required for essential cookies.
Analytics cookies (opt-in): PostHog tracking cookie (`ph_*`). Active only after you grant consent via the cookie banner. Honors Do Not Track browser signals.
Marketing/advertising cookies (opt-in): Google Ads conversion tracking (`_gcl_*`, `gtag`). Active only after you grant advertising consent via the cookie banner, which is unchecked by default.
How to manage cookies: You may change your cookie preferences at any time via the cookie settings link in the footer, or via your browser's cookie management interface. Withdrawing consent for analytics/marketing cookies stops new collection; it does not retroactively delete data already transmitted.
4. Advertising and Dream-Category Targeting
DreamLnds Ads uses contextual targeting only — ads are matched to the dream category you are browsing (e.g., travel ads on travel dreams), your declared location preference, and general device/language context. We do not build behavioral surveillance profiles for advertising purposes.
[FERNANDO DECISION] — The Customer Memory advertising targeting (ADS-003) is blocked pending separate advertising consent flow approval (PIA Gate G4). Until that flow is built and approved by CCO, no Customer Memory data may be used for ad targeting. This policy section will need to be updated when ADS-003 is activated.
If you have given advertising consent (`ads_consent` field in your profile), ads may be matched against declared dream categories. This consent can be withdrawn at any time in Settings > Privacy > Advertising.
Advertising consent is separate from general LGPD consent. Withdrawing advertising consent does not affect your account or access to platform features.
5. Data Minimization and Sensitive Data (LGPD Art. 6, III and Art. 11)
We apply the principle of necessity: we collect only the minimum personal data required to deliver each feature. We do not collect:
- Government ID numbers (CPF, RG, passport) — unless legally required for a future feature, which would trigger a new consent and policy update.
- Real-time GPS location tracking.
- Biometric data.
- Financial account details beyond Stripe-managed identifiers.
Sensitive data (LGPD Art. 11): We do not deliberately solicit data classified as sensitive. However, as noted in Section 3.2, dream content may incidentally touch sensitive dimensions. If we identify that a specific dream category systematically captures sensitive-class data, we will:
1. Add a specific, highlighted consent dialog for that category before collecting it.
2. Update this Privacy Policy within 30 days of identifying the category.
3. Apply heightened processing restrictions (no advertising use, no third-party sharing beyond necessary processors, no automated profiling).
6. Third-Party Processors (Sub-Processors)
DreamLnds shares your personal data with the following service providers acting as data processors on our behalf. All processors are bound by contractual obligations to process your data only on our instructions and in compliance with applicable data protection law.
| Processor | Country | Purpose | Data shared | Data-processing agreement |
|---|---|---|---|---|
| Supabase, Inc. | United States (AWS us-east-1 — Northern Virginia) | Database hosting, authentication, file storage, real-time features | All personal data stored in the platform database — this is the primary data store; all your account, profile, and content data physically resides on US servers. See Section 7 for the Art. 33 transfer basis. | Supabase DPA (accepted via Supabase Terms of Service) |
| Vercel, Inc. | United States | Frontend hosting, CDN, preview deployments | IP addresses in server logs, session tokens in request headers | Vercel DPA (accepted via Vercel ToS) |
| Stripe, Inc. | United States | Payment processing, subscription management | Name, email, billing address (if provided), payment method metadata | Stripe Connected Account Agreement + Data Processing Agreement |
| OpenAI, L.L.C. | United States | AI-powered features (GPT-4o): travel plan generation, Band Match, content suggestions | Pseudonymized preference codes and contextual signals derived from your dream content (not your name, email, or direct identifiers — see §3.6). OpenAI does not train its models on data submitted via the API by default; this is governed by OpenAI's API data usage policy. | OpenAI API Terms of Service (which include data processing terms) |
| Resend, Inc. | United States | Transactional and marketing email delivery | Email address, email content | Resend Data Processing Agreement |
| PostHog, Inc. | United States (cloud); EU option available | Product analytics, feature usage tracking | Pseudonymized analytics events (no name, no raw email — analytics ID only). Only if you have given analytics consent. | PostHog Data Processing Agreement |
| Google LLC (Maps Platform) | United States | Interactive maps in travel planning features | Map queries (destination names, coordinates you search for). Not linked to your DreamLnds account in transit. | Google Maps Platform Terms + GDPR/LGPD DPA |
| Google LLC (Ads / Conversion Tracking) | United States | Advertising conversion measurement | Pseudonymized conversion events (hashed email for conversion matching). Only if you have given advertising consent. | Google Ads Data Processing Terms |
| Sentry, Inc. | United States | Application error tracking and performance monitoring | Error context including partial request data; personal data is scrubbed from Sentry events by configuration — logs must not contain raw PII. | Sentry Data Processing Agreement |
We do not sell your personal data to any third party. We do not share your personal data with advertisers beyond what is described above (contextual signals only, under advertising consent).
7. International Data Transfers (LGPD Art. 33 and GDPR Chapter V)
All DreamLnds processors are based in the United States. This means that your personal data — including your primary account data, dream content, and profile — is stored and processed in the United States. This is a direct consequence of our infrastructure choices (Supabase on AWS us-east-1; Vercel CDN; OpenAI; Stripe; Resend; PostHog; Google; Sentry). We disclose this prominently because LGPD Art. 33 requires transparency about international transfers, and because GDPR Chapter V (Arts. 44–49) imposes its own conditions on transfers of personal data outside the EU/EEA.
Structural context: DreamLnds is in the process of establishing a corporate structure with a US holding entity and a Brazilian operating subsidiary. US-based hosting is structurally aligned with this model, and both entities will be bound by the same data protection obligations set out in this Policy. This structure will be formalized at the December 2026 company-ready milestone.
7.1 Transfer bases under LGPD (Art. 33)
The legal bases for these transfers under LGPD Art. 33 are:
- Supabase (primary database and auth): Transfer is necessary for the execution of the service contract with you (Art. 33, V). Supabase hosts the entire DreamLnds database; the service cannot function without it. This is the most significant transfer in scope — it covers all personal data we hold.
- Vercel (frontend hosting): Transfer is necessary for the execution of the service contract (Art. 33, V). Vercel serves the DreamLnds web application globally.
- Resend, PostHog, Sentry: Transfer is necessary for the execution of the service contract (Art. 33, V). These processors support email delivery, analytics (consent-gated), and error monitoring — all integral to platform operation.
- OpenAI: Transfer is based on consent (Art. 33, I). When you use AI-powered features, you consent to your pseudonymized preference data being processed by OpenAI on US servers. Because the data sent is pseudonymized (categories and codes — not your name, email, or direct identifiers), the identifiability and therefore the privacy risk of this transfer is materially reduced. OpenAI contractually does not use API-submitted data to train its models by default.
- Stripe: Transfer is necessary for the execution of the payment contract (Art. 33, V).
- Google (Maps + Ads): Transfer is based on contract necessity (Maps — integral to Travel features) and consent (Ads conversion tracking — only if you have given advertising consent).
ANPD adequacy status: The United States does not hold a formal adequacy decision from the ANPD equivalent to the EU's adequacy decisions. The ANPD has not yet issued general standard contractual clauses for US transfers. DreamLnds monitors ANPD guidance; if the ANPD mandates specific transfer mechanisms (SCCs or similar), we will execute those with each processor above and update this section within 30 days. Compliance will track and escalate ANPD publications proactively.
7.2 Transfer bases under GDPR (Chapter V) — EU/EEA users
For users in the EU/EEA, transfers of personal data to the United States are made on the following bases, in order of preference:
- EU-US Data Privacy Framework (DPF): Where a processor is certified under the EU-US Data Privacy Framework, that certification provides an adequacy basis for the transfer under GDPR Art. 45. The European Commission's adequacy decision of 10 July 2023 recognizes the DPF as providing an adequate level of protection for personal data transferred to certified US organizations. We rely on DPF certification where the processor holds and maintains an active certification.
- Standard Contractual Clauses (SCCs): Where a processor is not DPF-certified (or its certification lapses), we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor) under GDPR Art. 46(2)(c), together with supplementary technical and organizational measures (encryption in transit and at rest, pseudonymization before transfer to AI processors, access controls, and contractual transparency commitments) following the EDPB's guidance on supplementary measures.
- Derogations (Art. 49): For specific, occasional transfers integral to a service you have explicitly requested (for example, AI features), we may additionally rely on your explicit consent (Art. 49(1)(a)) or the necessity of the transfer for the performance of a contract with you (Art. 49(1)(b)). These derogations are used as a complement to, not a replacement for, the appropriate-safeguards mechanisms above.
You may request a copy of the relevant safeguards (for example, the SCCs in place with a given processor) by contacting the privacy channel in Section 1.
7.3 EU Representative (GDPR Art. 27)
DreamLnds is established in Brazil and currently directs the Service primarily at the Brazilian market. Where GDPR Art. 27 applies because we offer the Service to, or monitor the behavior of, data subjects in the EU/EEA, we will appoint a representative in the Union before actively offering the Service to EU/EEA data subjects. [PLACEHOLDER — EU Art. 27 representative to be appointed before EU launch] — the representative's name and contact details will be inserted here at that time, and EU/EEA users will be able to contact the representative on all matters relating to the processing of their personal data.
7.4 Breach notification
LGPD Art. 48: In the event of a data breach that may put your rights and freedoms at risk, DreamLnds will notify the ANPD within 72 hours of becoming aware of the breach, and will notify affected users without undue delay.
GDPR Arts. 33–34: Where the breach affects EU/EEA users, we will notify the competent supervisory authority within 72 hours of becoming aware of it (unless the breach is unlikely to result in a risk to rights and freedoms) and communicate the breach to affected data subjects without undue delay where it is likely to result in a high risk to them.
8. Data Retention
| Data category | Retention period | Deletion mechanism |
|---|---|---|
| Account / identity data | Duration of active account + 30 days soft-delete | Permanent deletion after 30-day period |
| Dream content (public/private) | Until you delete the content or the account | Soft-delete (`deleted_at`) → permanent after 30 days |
| Social graph (follows) | Until unfollow or account deletion | Immediate hard delete on unfollow; cascade on account deletion |
| Subscription / payment records | 5 years after subscription ends | Retained for legal/accounting compliance |
| Analytics events (PostHog) | 12 months rolling | PostHog project retention policy — auto-purged after 12 months |
| AI query inputs | Not retained beyond the API call | Not stored by DreamLnds |
| Marketing consent records | Indefinitely (to honor opt-out) | Not deleted — necessary to prove non-contact |
| Unsubscribe records | Indefinitely | Not deleted |
| Error logs (Sentry) | 30 days rolling | Sentry project retention policy — auto-purged after 30 days |
| Date of birth (age verification) | Duration of active account + 30 days soft-delete | Permanently deleted with account; not retained separately |
| Consent audit records | 5 years | As required for legal accountability |
Soft-delete policy: When you delete a dream, a profile field, or your account, we mark the record with a `deleted_at` timestamp. The data becomes immediately inaccessible to other users. Permanent deletion follows after 30 days, allowing recovery from accidental deletion within that window. If you need immediate permanent deletion, contact us at the DPO channel in Section 1.
9. Your Rights as a Data Subject (LGPD Art. 18)
You have the following rights regarding your personal data. You may exercise all of them through Settings > Privacy & Data or by contacting the DPO channel in Section 1.
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 18, II) | Know what personal data we hold about you. | Settings > Privacy & Data > "Download my data" |
| Correction (Art. 18, III) | Fix inaccurate or outdated data. | Profile edit for most fields; DPO channel for fields not self-editable. |
| Deletion / Right to be forgotten (Art. 18, VI) | Request deletion of your personal data. | Settings > Account > "Delete account". Permanent deletion within 30 days. |
| Portability (Art. 18, V) | Receive your data in a structured, machine-readable format. | Settings > Privacy & Data > "Export my data" (JSON/CSV). |
| Consent withdrawal (Art. 18, IX) | Withdraw any consent you have given, at any time, as easily as you gave it. | Settings > Privacy > toggle individual consents off. Withdrawal stops processing and schedules deletion of consent-based data within 15 days. |
| Opt-out of automated decision-making (Art. 20) | Request human review of any automated decision that significantly affects you. | Contact DPO channel. We will review within 15 days. |
| Information on sharing (Art. 18, VII) | Know with which entities your data is shared. | This Policy, Section 6. |
| Information on consequences of not consenting (Art. 18, VIII) | Understand what happens if you withhold consent. | Explained at each consent prompt in the app. |
We will respond to all rights requests within 15 days of verified receipt (LGPD Art. 18, §5). In complex cases we may extend by a further 15 days, with notice.
We will verify your identity before processing any deletion or export request. Verification is done via your logged-in session or, for requests from logged-out users, via a one-time code sent to your registered email.
Automated decision-making (LGPD Art. 20): Our recommendation and matching features (such as dream-affinity recommendations and Band Match AI matching) are not solely-automated decisions that produce legal effects concerning you or that similarly significantly affect you. They surface suggestions you remain free to ignore, edit, or override; no consequential decision about you (such as eligibility, pricing, or account standing) is taken solely by automated means. You may nonetheless request information about the criteria and procedures behind any automated processing, and request human review, by contacting the privacy channel in Section 1. We will respond within 15 days.
10. Your Rights in the EU/EEA (GDPR)
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to the processing of your personal data and grants you the rights below, in addition to and in parallel with the LGPD rights in Section 9. Where both frameworks apply, we honor the stricter standard.
| Right | GDPR basis | How to exercise |
|---|---|---|
| Access | Art. 15 | Settings > Privacy & Data > "Download my data"; or the privacy channel in Section 1. |
| Rectification | Art. 16 | Profile edit for most fields; privacy channel for fields not self-editable. |
| Erasure / "right to be forgotten" | Art. 17 | Settings > Account > "Delete account". Permanent deletion within 30 days. |
| Restriction of processing | Art. 18 | Contact the privacy channel; we will restrict processing while a dispute or accuracy check is resolved. |
| Data portability | Art. 20 | Settings > Privacy & Data > "Export my data" (JSON/CSV). |
| Objection | Art. 21 | Object to processing based on legitimate interests (e.g., social-graph processing) via the privacy channel; opt out of direct marketing at any time. |
| Withdraw consent | Art. 7(3) | Settings > Privacy > toggle individual consents off, as easily as consent was given. |
| Not be subject to solely-automated decisions | Art. 22 | See "Automated decision-making" below. |
Legal bases (GDPR Art. 6). The GDPR equivalents of the LGPD bases used throughout this Policy are: performance of a contract (Art. 6(1)(b)) for account and core service data; consent (Art. 6(1)(a)) for analytics, marketing, advertising, and AI personalization; legitimate interests (Art. 6(1)(f)) for the social graph, security, and error monitoring; and legal obligation (Art. 6(1)(c)) for age verification and financial record-keeping. Special-category data (GDPR Art. 9 — the EU equivalent of LGPD Art. 11 sensitive data) is processed only on the basis of your explicit consent or where you have manifestly made it public, and is never used for advertising or automated profiling (see Sections 3.2 and 5).
Automated decision-making (GDPR Art. 22). As stated in Section 9, our recommendations and matches are not decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Where Art. 22 would otherwise apply, you have the right to obtain human intervention, to express your point of view, and to contest the decision — exercise these via the privacy channel in Section 1.
Cookies and ePrivacy. In line with the ePrivacy Directive (2002/58/EC) as implemented in EU/EEA member states, non-essential cookies and similar technologies (analytics and advertising) are placed on your device only after you have given prior, specific, informed consent through our consent banner, which is unchecked by default for non-essential categories. Strictly necessary cookies are exempt from the consent requirement. See Section 3.8 for details and how to manage your choices.
Lead supervisory authority and complaints. You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). Until DreamLnds establishes a "main establishment" in the EU/EEA, no single lead supervisory authority is designated; you may contact any competent EU/EEA data protection authority. A list of EU/EEA authorities is published by the European Data Protection Board (edpb.europa.eu). This is in addition to your right to complain to the ANPD (Section 16) and does not affect any other administrative or judicial remedy.
EU Representative (Art. 27). Where required, DreamLnds will appoint an EU representative before actively offering the Service to EU/EEA data subjects — see Section 7.3.
11. Your United States Privacy Rights (CCPA/CPRA and other state laws)
This Section applies to residents of US states with comprehensive privacy laws. It supplements the rest of this Policy and, for California residents, is provided under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA").
11.1 Categories of personal information we collect (CCPA)
In the past 12 months, DreamLnds has collected the following statutory categories of personal information. "Disclosed to processors?" refers to the service providers/contractors listed in Section 6, who are contractually prohibited from using the information for their own purposes.
| CCPA category | Collected? | Source | Business / commercial purpose | Disclosed to processors? |
|---|---|---|---|---|
| Identifiers (name, email, account ID, IP address) | Yes | You (at signup); your device | Account creation, authentication, service delivery, security | Yes (Supabase, Vercel, Resend, Sentry) |
| Customer records (Cal. Civ. Code §1798.80 — name, contact, payment metadata) | Yes | You; Stripe | Account and subscription management, billing | Yes (Stripe, Supabase) |
| Commercial information (subscription status, transaction records) | Yes | You; Stripe | Manage subscriptions, fulfill entitlements, accounting | Yes (Stripe, Supabase) |
| Internet / network activity (pages viewed, features used, events, device/browser) | Yes (consent-gated) | Your device | Product analytics and improvement (only with consent) | Yes (PostHog), only with consent |
| Geolocation (coarse only — declared location preference, destination searches) | Yes (coarse) | You | Travel features, contextual relevance | Yes (Supabase, Google Maps) — no precise/real-time GPS collected |
| Audio / visual (avatars, photos, and other content you upload) | Yes | You | Display your profile and dream content per your privacy settings | Yes (Supabase storage) |
| Professional / employment information | No | — | Not collected | No |
| Education information | No | — | Not collected | No |
| Inferences (dream-category affinities, recommendations) | Yes | Derived from your content | Personalize recommendations and matches (not for behavioral ad profiling) | Yes (OpenAI — pseudonymized), with consent |
| Sensitive Personal Information (CCPA §1798.140(ae)) | Incidental only | You (voluntarily, via dream content) | None solicited; if you voluntarily share a dream touching health, religion, sexual orientation, or racial/ethnic identity, it is processed only to deliver the feature you requested | Not disclosed beyond necessary infrastructure processors; never used for inferences about you or for advertising |
We do not collect biometric information, government identifiers (Social Security, driver's license, passport), or precise geolocation.
11.2 We do not sell or "share" your personal information
DreamLnds does not sell your personal information for money or other valuable consideration, and does not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA. Our advertising is contextual and consent-gated (see Section 4). Because the platform is restricted to users 18 and older (Section 14) and we do not sell or share personal information, the CCPA's minor opt-in requirements (for consumers under 16) do not apply to us.
11.3 Your California consumer rights
Subject to verification, California residents have the right to:
- Know / access the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties to whom it is disclosed.
- Delete personal information we have collected from you, subject to statutory exceptions (e.g., completing a transaction, security, legal compliance).
- Correct inaccurate personal information we maintain about you.
- Opt out of the sale or sharing of personal information. We do not sell or share personal information, so there is nothing to opt out of; we nonetheless provide a "Do Not Sell or Share My Personal Information" control for transparency.
- Limit the use and disclosure of sensitive personal information to what is necessary to provide the Service. Because we do not use sensitive personal information to infer characteristics about you, and use it only to deliver requested features, this right is honored by default; we nonetheless provide a "Limit the Use of My Sensitive Personal Information" control.
- Non-discrimination: We will not discriminate against you for exercising any of these rights. We do not offer financial incentives in exchange for personal information.
11.4 How to exercise your US privacy rights
You may exercise these rights through Settings > "Your Privacy Choices" — which exposes the "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" controls — or by emailing privacy@dreamlnds.com.
- Authorized agents: You may use an authorized agent to submit a request on your behalf. We will require written authorization signed by you and, in most cases, verification of your own identity.
- Identity verification: To protect your data, we verify your identity (via your logged-in session, or a one-time code to your registered email) before fulfilling access, deletion, or correction requests. We may decline to act on a request we cannot reasonably verify.
- Response window: We will confirm receipt within 10 business days and respond substantively within 45 days. Where reasonably necessary, we may extend this by an additional 45 days (90 days total), and will notify you of the extension and the reason, consistent with the CCPA.
11.5 "Shine the Light" (California Civil Code §1798.83)
California residents may request, once per calendar year, information about the categories of personal information (if any) we disclosed to third parties for those third parties' own direct marketing purposes. DreamLnds does not disclose personal information to third parties for their own direct marketing, so there is nothing to report. You may direct any "Shine the Light" inquiry to privacy@dreamlnds.com.
11.6 Enforcement authorities (California)
California residents may contact the California Privacy Protection Agency (CPPA) (cppa.ca.gov) and/or the California Attorney General (oag.ca.gov/privacy) regarding the handling of their personal information.
11.7 Other US states
If you reside in a US state with a comprehensive consumer privacy law — including, among the roughly twenty such laws in effect by 2026, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA) — you have rights analogous to the California rights above: to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. DreamLnds honors these rights through the same mechanisms described in Section 11.4 (Settings > "Your Privacy Choices" and privacy@dreamlnds.com), and does not sell personal data or engage in targeted advertising or consequential profiling. As of 2026 there is no comprehensive US federal privacy law; these protections derive from state law. Where a state grants a right to appeal a declined request, you may appeal by replying to our decision; if your appeal is denied, the laws of several states allow you to contact your state attorney general.
12. Artificial Intelligence and Automated Features (EU AI Act)
DreamLnds uses artificial intelligence to help you realize your dreams. This Section describes those features and how we comply with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, the "AI Act"), in addition to the automated-decision provisions in Sections 9 and 10.
12.1 AI features we offer
- Travel AI itinerary generation — drafts suggested travel plans from your inputs.
- Dream-affinity recommendations — suggests dreams, people, and content that may interest you.
- Band Match AI matching — proposes potential musical collaborators.
- AI content suggestions — helps you draft and refine content (e.g., creator descriptions).
12.2 Risk classification and transparency
We classify these features as limited-risk AI systems under the AI Act. They are not high-risk systems and do not involve any prohibited practice: DreamLnds does not perform social scoring, does not use AI for biometric categorization or emotion recognition, and does not deploy manipulative or deceptive AI design. Consistent with the AI Act's transparency obligations:
- You are clearly informed when you are interacting with an AI feature.
- Content that is generated or meaningfully assisted by AI is labeled as such in the user interface (for example, AI-generated itineraries and suggestions carry a visible label).
- AI outputs are suggestions only; you remain in control and may edit, accept, or discard them.
12.3 How the AI processes your data
Before any content is sent to our AI processor, DreamLnds pseudonymizes it — we send categories, preference codes, and contextual signals rather than your name, email, or direct identifiers (see Section 3.6). Our AI processor is OpenAI, acting on DreamLnds's behalf and bound by data-processing terms; OpenAI does not train its models on data submitted via the API by default (see Sections 3.6 and 6). The international-transfer safeguards in Section 7 apply.
12.4 Human review
Because our AI features are not solely-automated decisions producing legal or similarly significant effects (Sections 9 and 10), no consequential decision about you is taken by AI alone. You may nonetheless request human review of any AI-assisted output that affects you, via the privacy channel in Section 1.
13. Security
We implement technical and organizational measures appropriate to the risk, including:
- Row Level Security (RLS): Every table in the DreamLnds database has RLS policies active. Users can only read and write their own data. Service-role access is restricted to automated processes and is audited.
- Encryption in transit: All traffic between your browser and DreamLnds servers is encrypted via HTTPS (TLS 1.2+). All API calls to third-party processors use HTTPS.
- Encryption at rest: Database and file storage are encrypted at rest by Supabase/AWS infrastructure.
- Authentication: Managed via Supabase Auth with secure session tokens; passwords are hashed and never stored in plaintext.
- Secrets management: API keys and credentials are rotated regularly and stored in environment variables, never in source code.
- Logging policy: Application logs must not contain personal data (name, email, raw user IDs). This is enforced in our engineering standards.
Despite these measures, no system is completely immune to breach. In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority (ANPD) within 72 hours of becoming aware of the breach (LGPD Art. 48), and notify affected users without undue delay.
14. Children's Data
DreamLnds is intended for users aged 18 years or older. We do not knowingly collect personal data from anyone under 18. This minimum age eliminates LGPD Art. 14 parental-consent complexity, removes the GDPR Art. 8 child-consent threshold from scope, and removes the CCPA minor opt-in requirement from scope — ensuring a straightforward compliance posture at launch.
We collect date of birth at signup for the sole purpose of verifying this age requirement (see Section 3.1). Users who provide a date of birth indicating they are under 18 will not be permitted to complete registration.
If we learn that a user below the age of 18 has created an account — for example through a false date of birth — we will immediately suspend and permanently delete that account and all associated data, without prior notice. If you believe a minor has registered, please contact us at privacy@dreamlnds.com and we will act promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the features we offer, or applicable law. When we make material changes:
- We will update the "Effective date" at the top of this page.
- We will display a notice in the app for 30 days before the change takes effect for existing users.
- For changes that require renewed consent (e.g., a new processing purpose or a new category of personal data), we will request that consent actively — we will not assume continued use constitutes acceptance of material changes that require consent.
Minor changes (corrections, clarifications that do not alter the substance of your rights or our processing) take effect upon publication without specific notice, but the effective date will always reflect the most recent revision.
The history of policy versions will be maintained at dreamlnds.com.br/privacy/history (page to be published alongside this Policy).
16. Supervisory Authorities and How to Complain
If you believe your data protection rights have been violated and our privacy channel has not resolved your concern, you have the right to lodge a complaint with the authority for your jurisdiction:
Brazil — Autoridade Nacional de Proteção de Dados (ANPD)
Website: gov.br/anpd
Email: anpd@anpd.gov.br
EU/EEA: You may lodge a complaint with the data protection supervisory authority of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). A directory of EU/EEA authorities is maintained by the European Data Protection Board (edpb.europa.eu). See Section 10 for details, including the status of any lead supervisory authority.
California: California Privacy Protection Agency (cppa.ca.gov) and/or the California Attorney General (oag.ca.gov/privacy). See Section 11.6.
Other US states: Your state attorney general, where your state's comprehensive privacy law provides for complaints. See Section 11.7.
17. Governing Law
This Policy is governed by the laws of the Federative Republic of Brazil, specifically LGPD (Law 13,709/2018) and, where applicable, the GDPR (Regulation (EU) 2016/679) and EU AI Act (Regulation (EU) 2024/1689) for EU/EEA residents, and the CCPA/CPRA and other applicable US state privacy laws for US residents.
Disputes arising from this Policy shall be resolved in the courts of [PLACEHOLDER — forum TBD, follows legal entity registered domicile]. This placeholder will be resolved at the December 2026 company-ready milestone once the Brazilian legal entity is constituted. Nothing in this clause waives any mandatory local consumer protection or data protection rights you hold in your country or state of residence.